Monday, August 27, 2012

Who's Responsible for the Saudi Aramco Network Attack?

Saudi Aramco R&D headquarters

At least three different hacker groups have claimed responsibility for the August 15th, 2012 attack against Saudi Aramco's network which damaged 2000 servers and up to 30,000 workstations but which failed to impact the segregated production and exploration networks. Only two of the three groups are named and neither of the two have an Internet history associated with their names.

The first, which calls itself the Arab Youth Group, uses terms like "evil Al-Saud" and "Al-Saud traitors" and specifically refers to Lebanon and the Forqan War (aka Operation Cast Lead 12/2008-1/2009) which at least one Iranian hacker crew - the Ashiyane Security Group - participated in.

The second hacker group call themselves the Cutting Sword of Justice. They posted multiple pastebins containing proof of the scale of the attack in the form of compromised IP addresses of servers. They also posted the start date and time which corresponds to the code string found in Shamoon. Their posts lacked the religious phrasing of the Arab Youth Group and emphasized "tyranny" and "oppression" instead.

The third hacker group is the one which announced a second attack on 25 Aug 2012 at 2100 GMT in order to prove that they didn't need an insider's help. That attack doesn't appear to have been successful. The Cutting Sword of Justice specifically referred to them as a separate group and their phrasing and word choice is different from that used by the Arab Youth Group. This third group seems to be a late comer and can be dismissed as an active participant in the attack. And while the Arab Youth Group and Cutting Sword of Justice have claimed responsibility, the timing and circumstances of the attack elevate it beyond either of those groups ability to conduct it alone.

Iran and Hezbollah
According to the analysis that's been done on Shamoon by Kaspersky Labs, it appears to be related to the Wiper virus that struck Iran's oil ministry last April. None of the security labs have a copy of Wiper but since Iran was the victim, it would be in the best position to produce a similar or reverse-engineered version that Kaspersky has named Shamoon.

Hezbollah, a Shi'a militant group based in Lebanon receives financial and political support from Iran. Since Hezbollah members include hackers, and since Iran's decision to recruit hackers to join the ranks of its Basij paramilitary corps in late 2010, Hezbollah's possible involvement in this attack against Saudi Aramco must be properly evaluated.

In fact, a Saudi Arabian minister in 2007 was quoted in a U.S. diplomatic cable in which he expressed his fear that Saudi Aramco had some employees who were members of Hezbollah and who were in a position to disrupt oil production.

Lebanese Shi'a Questioned
According to this Arabic website, up to 70 Aramco employees, including Lebanese Shi'a, are being investigated for involvement in the attack. There's not enough information to know if they were investigated because their religious beliefs made them suspect or because there was evidence connecting them to the attack. Knowledgable sources have told me that this number of suspects has been reduced from 70 to 20.

Tension between Iran and Saudi Aramco Over Oil Embargo
The stated motivation for this attack by the Arab Youth Group and Cutting Sword of Justice is a nebulous religious objection which completely fails to acknowledge recent events related to the oil embargo placed upon Iran by the U.S. and European Union that went into effect on July 1, 2012. Is it just coincidence that these groups attacked now? More likely, in my judgment, is that this attack represents retribution for Saudi Arabia's Foreign Minister Prince Saud al-Fisal saying that talks with Iran are a waste of time and that the oil embargo should proceed as planned.

To add fuel to this fire, on July 20 India's Mangalore Refinery & Petrochemicals Limited "bought Azeri, Saudi and Emirati crude to replace imports from Iran in July 2012 and it may halt purchases from Tehran altogether as sanctions make shipments more difficult." Iran responded with a threat to close the Strait of Hormuz if sanctions weren't revoked however that same threat has been made many times before and Iran has never carried it out. A much more likely form of retribution, and one that's considerably safer for Iran, is to sponsor a damaging network attack against Saudi Aramco through a proxy like the Arab Youth Group.

Summary
Iran is at the center of every significant aspect of this attack. It is the only nation with access to the original Wiper virus from which Shamoon was copied. Iran is angry at Saudi Aramco for off-setting Iran's drop in oil production due to the Embargo that started 45 days prior to the attack which gives it motive. It supports a militant organization (Hezbollah) that uses hackers and who allegedly has members employed at Saudi Aramco which gives it opportunity and access. While both the Arab Youth Group and the Cutting Sword of Justice involvement gives it the appearance of a mere hacktivist attack, I think that a careful analysis of the known facts points to a state-sponsored attack by Iran that was crafted to look like the work of hacktivists. Perhaps Iran has learned something from Russia about the strategy of misdirection via the government's recruitment of patriotic hackers.